Description
SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.

Affected versions:
Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.
Published: 2026-06-09
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the SubjectDnX509PrincipalExtractor causes certain malformed X.509 certificate Common Name values to be misread as the username, allowing a crafted certificate to impersonate another user. This results in the attacker assuming the identity of a legitimate user and gaining the permissions associated with that account.

Affected Systems

Spring Security versions 5.7.0 through 5.7.24, 5.8.0 through 5.8.26, 6.3.0 through 6.3.17, 6.4.0 through 6.4.17, and 6.5.0 through 6.5.10 are affected.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. Because EPSS is not available the likelihood of exploitation is uncertain, and the vulnerability is not listed in CISA KEV, implying no known widespread attacks. An attacker with the ability to present an X.509 client certificate to a Spring Security‑enabled application that uses client certificate authentication can exploit this flaw by crafting a certificate whose Common Name is interpreted as a different user's principal, thereby impersonating that user.

Generated by OpenCVE AI on June 10, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Security to a version newer than 5.7.25, 5.8.27, 6.3.18, 6.4.18, or 6.5.11.
  • Confirm that client certificate authentication is restricted to trusted issuers and that the application enforces proper certificate validation.
  • Add checks to ensure the Common Name extracted from the client certificate matches the expected user identifier or configure Spring Security to use a safer principal extractor.

Generated by OpenCVE AI on June 10, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-47838 cve-icon cve-icon
History

Wed, 10 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Security
Vendors & Products Spring
Spring spring Security

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.
Title Unauthorized User Impersonation when Using X.509 Client Certificates
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Spring Spring Security
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:50:07.988Z

Reserved: 2026-05-20T10:00:51.003Z

Link: CVE-2026-47838

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:54.897

Modified: 2026-06-10T00:16:54.897

Link: CVE-2026-47838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:15:19Z

Weaknesses